CVE-2022-48197

MEDIUM NUCLEI

YUI 2000-2800 - Reflected Cross-Site Scripting in Sandbox Examples

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-48197. PoCs published by SITE Team, ryan412. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates multiple reflected XSS vulnerabilities in YUI2 TreeView v2.8.2 by injecting malicious scripts via URL parameters. The PoC provides specific URLs with payloads that trigger XSS alerts.

Description

Reflected cross-site scripting (XSS) exists in Sandbox examples in the YUI2 repository. The download distributions, TreeView component and the YUI Javascript library overall are not affected. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Exploits (2)

exploitdb WORKING POC VERIFIED

by SITE Team · textwebappsphp

https://www.exploit-db.com/exploits/51198

View Code ZIP pw:eip

This exploit demonstrates multiple reflected XSS vulnerabilities in YUI2 TreeView v2.8.2 by injecting malicious scripts via URL parameters. The PoC provides specific URLs with payloads that trigger XSS alerts.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Yahoo User Interface library (YUI2) TreeView v2.8.2

No auth needed

Prerequisites: Access to a vulnerable YUI2 TreeView installation

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by ryan412 · poc

https://github.com/ryan412/CVE-2022-48197

View Code ZIP pw:eip

This repository provides a proof-of-concept for CVE-2022-48197, demonstrating reflected XSS vulnerabilities in multiple files of the Yahoo YUI2 library. The exploit URLs show how arbitrary JavaScript can be injected via the 'mode' parameter.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Yahoo YUI2 (unspecified version)

No auth needed

Prerequisites: Access to a vulnerable YUI2 installation

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Yahoo User Interface library (YUI2) TreeView v2.8.2 - Cross-Site Scripting

MEDIUMVERIFIEDby ctflearner

Shodan: html:"bower_components/yui2/" || http.html:"bower_components/yui2/"

FOFA: body="bower_components/yui2/"

References (6)

Core 6

Core References

Various Sources

https://github.com/yui/yui2/blob/yui2-2.8.2-8/sandbox/treeview/inc-rightbar.php

View Writeup ZIP pw:eip

Various Sources

https://literatejava.com/security/is-it-really-a-cve-reported-xss-in-yui-2-8-2/

Various Sources

https://github.com/ryan412/CVE-2022-48197

Third Party Advisory

https://github.com/ryan412/CVE-2022-48197/blob/main/README.md

View Writeup ZIP pw:eip

Third Party Advisory

https://github.com/yui/yui2/tags

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171633/Yahoo-User-Interface-TreeView-2.8.2-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0661

EPSS Percentile 93.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

yui_project/yui 2000 - 2800

Published Jan 02, 2023

Tracked Since Feb 18, 2026